At 02:24 10/05/2000 -0500, Jay Jacobs wrote:
> So as I see it there are essentially 2 *mostly* reliable ways, cookies
>and url-rewriting. Both have drawbacks and neither are 100%.
Well if it's *reliability* that you are looking for, url rewriting seems to
come-accross as better. None of the following points really keeps you from
implementing a quite reliable scheme, depending of course on the level of
security that you want.
>URLS:
>- redirecting to a different site sends the session_id in the
>HTTP_REFERER in some browsers, which ruins it for the rest of the world ;)
Writing a handler that sends a proper redirect to browsers known to handle
it correctly and a <meta> redirect to the rest takes only a few lines of
code. I know the latter isn't the most beautiful solution but hey, dirty
browser, dirty solution :)
>- requires site-wide url-rewriting or site-wide relative links (including
>things like "../../index.html" which seems ugly IMO)
url-rewriting can be costly, but it isn't really hard to do. And there are
advantages to relative linking.
>- users bookmarking with the session_id which may be expired on the server
>side thus negating the bookmarked session.
Well, either the session is still valid (as it would be for instance with a
long-lasting cookie) and there isn't a problem, or it isn't and the user
should log in again, or be redirected to another url with a proper session.
>- messes up logging unless a custom logging handler, or url-rewriting
>before logging is implemented
Again that isn't hard or long to do.
I'm not trying to say that your points are wrong and that having to
implement all this is not troublesome, but url rewriting seems to me to be
pretty reliable, at least compared to cookies. The user can still try to
delete the session from the url, but that's the same problem with cookies.
Suffice it to say cookies are *much* more likely to be off than urls :)
It's more a question of doing it cleanly and efficiently than reliably imho.
There are also things that can be done with domain levels under the second
(eg: ses465738.domain.com) that take care of points 2 and 4 (but it's ugly).
.Robin
Forty two.
